1. 18CSE354T-NETWORK SECURITY
UNIT – 1
CLR-1: Understanding the Basic Concepts of Networking Devices
CLO-1: Acquire the knowledge of network devices used in data communication
1
2. Topics
Networking Devices (Layer1,2)
Networking Devices (Layer 3)
Different types of network layer attacks
Firewall- ACL
Packet Filtering
DMZ, Alerts
Audit Trials
IDS
Advantages and Disadvantages of IDS(Need of IPS)
Advantages of IPS over IDS
IPS
IPS Types- Signature based
Anomaly based, Policy based
IPS Types - Honeypot based
Applications
Malicious Software
2
8. NIC stands on first place. Without this device, networking cannot be done.
This is also known as network adapter card, Ethernet Card and LAN card
A PC uses parallel data transmission technology to transmit data between its
internal parts while the media that connects this PC with other PCs uses serial
data transmission technology
A NIC converts parallel data stream into serial data stream and vice versa
serial data stream is get converted in parallel data stream.
Network Interface Card (NIC)
8
9. Types of NICs
There are two types of NICs
Media Specific :- Different types of NICs are required to connect with different
types of media. For example we cannot connect wired media with wireless NIC
card. Just like this, we cannot connect coaxial cable with Ethernet LAN card. We
have to use the LAN card that is particularly built for the media type which we
have.
Network Design Specific :- A specific network design needs a specific LAN
card. For example FDDI, Token Ring and Ethernet have their own distinctive
type of NICs card. They cannot use other’s NIC card.
9
10. 1 BNC and 1 RJ45 NIC
4 RJ45 NIC
PCMCIA for Laptops
Single RJ45 NIC
Token Ring NIC
10
11. Router is a layer three device operates at Network Layer which forwards data
packet from one logical network segment to another.
Router forwards packets on the bases of their destination address. For this router
keeps record of the path that packets can use as they move across the network.
These records are maintained in a database table known as routing table.
Routing table can be built statically or dynamically
Routers
11
12. Basically routers are used :-
To connect different network segments.
To connect different network protocols such as IP and IPX.
To connect several smaller networks into a large network (known as
internetwork)
To break a large network in smaller networks (Known as subnet usually created
to improve the performance or manageability)
To connect two different media types such as UTP and fiber optical.
To connect two different network architectures such as token ring and Ethernet.
To connect LAN network with Telco company’s office (Known as DTE device).
To access DSL services (known as DSL Router).
12
14. Repeater – A repeater operates at the physical layer.
Its job is to regenerate the signal over the same network before the signal
becomes too weak or corrupted so as to extend the length to which the signal can
be transmitted over the same network.
An important point to be noted about repeaters is that they do not amplify the
signal.
When the signal becomes weak, they copy the signal bit by bit and regenerate it at
the original strength. It is a 2 port device.
Repeater
14
15. HUB operated at Physical Layer is used to connect multiple computers in a single
workgroup LAN network. Typically HUBs are available with 4,8,12,24,48 ports.
Based on port type, there are two types of HUB:-
Ethernet HUB :- In this type of HUB all ports have RJ-45 connectors.
Combo HUB :- In this type of HUB ports have several different types of
connectors such RJ-45, BNC, and AUI.
For Example a HUB which has four ports. Ports share everything. One port
received data signal from its connected device. It will make three copies of data
signal from HUB and give one copy to each port. Receiver port doesn’t need a
copy of data signal for itself as it has it the original version.
HUB
15
16. When a hub receives signal on its port, it repeats the signal and forwards that
signal from all ports except the port on which the signal arrived
There are two types of HUB
Passive HUB:- It forwards the data signal from all ports
except the port on which signal arrived.
It doesn’t interfere in data signal.
Active HUB:- It also forwards the data signal from all
ports except the port on which signal arrived. But before
forwarding, it improves quality of data signal by
amplifying it. Due to this added features active HUB
is also known as repeaters.
16
18. Bridge operates at data link layer
It is used to divide a large network in smaller segments.
For example a network has 70 nodes.
Without segmentation all these nodes will share same collision domain that
will bring down overall network performance.
To run a network smoothly we should not place more than 20 nodes in a
collision domain.
To deal with this situation we can use Bridge.
Bridge has per port collision domain which means if a port faces collision,
other ports will not effect from this collision.
Bridge
18
19. Basic function of Bridge are following :-
•Break a large network in smaller segments.
•Join different media types such as UTP with fiber optic.
•Join different network architectures such as Ethernet with Token Ring.
There are three types of bridge:-
Local Bridge :- This bridge connects two LAN segments directly. In Ethernet
Implementation it is known as Transparent bridge. In Token Ring network it is
called Source-Routed bridge
19
20. Remote Bridge :-
This bridge connects with another
bridge over the WAN link.
Wireless Bridge :- This bridge connects with another bridge without wiring
between them.
20
21. In OSI Layer model Bridge works at physical layer and data link layer.
Bridges have following issues :-
•Bridges have limited ports
•In bridge forward decision are made through the software which slow down
overall performance of network
•Bridges use age old technology which is not capable to fulfill the requirement of
modern networks effectively
Switch and Router solves these issues
21
22. Just like Hub and Bridge, switch is also used to connect multiple computers
together in a LAN segment.
Switch operates at data link layer
Switches available with 4,8,12,24,48,64 ports.
Each switch port has a separate collision domain.
At layer two data signals are formatted in frames.
When a switch receives frame, it checks FCS (Frame checksum sequence) field
in it.
Switch process the frame only if it is valid.
All invalided frames are automatically dropped.
All valid frames are processed and forwarded to their destination MAC address.
Switch
22
23. Switches support three methods of switching
•Store and Forward
•Cut and Through
•Fragment Free
Store and Forward
This is the basic mode of switching. In this mode Switch buffers entire frame
into the memory and run FCS (Frame Check Sequence) to ensure that frame is
valid and not corrupted.
A frame less than 64bytes and higher than 1518bytes is invalid.
Only valid frames are processed and all invalid frames are automatically
dropped.
Among these three methods, this method has highest latency.
Latency is the time taken by device in passing frame from it.
23
24. Cut and Through
Cut and Through method has lowest latency.
In this method Switch only read first six bytes from frame after the preamble.
These six bytes are the destination address of frame.
This is the fastest method of switching.
This method also process invalid frames.
Only advantage of this method is speed.
24
25. Fragment Free
This is a hybrid version of Store and Forward method and Cut and Through
method.
It takes goodies from both methods and makes a perfect method for switching.
It checks first 64 bytes of frame for error. It processes only those frames that
have first 64bytes valid.
Any frame less than 64 bytes is known as runt. Runt is an invalid frame type.
This method filters runt while maintaining the speed.
25
26. Gateway –
A gateway, as the name suggests, is a passage to connect two networks together
that may work upon different networking models.
They basically work as the messenger agents that take data from one system,
interpret it, and transfer it to another system.
Gateways are also called protocol converters and can operate at any network
layer. Gateways are generally more complex than switch or router.
Brouter –
It is also known as bridging router is a device which combines features of both
bridge and router.
It can work either at data link layer or at network layer.
Working as router, it is capable of routing packets across networks and working
as bridge, it is capable of filtering local area network traffic.
Gateway and Brouter
26
28. A Computer networks is a collection of
nodes or computers or systems
and devices
connected together through
communication devices
and transmission media Guided Media Wireless Media
Definition of Computer Networks
28
32. Seven Layers of OSI
How to transmit signal; coding Hardware
means of sending an receiving data on a carrier
Two party communication: Ethernet 🡪
Routing and Forwarding Address: IP 🡪
End-to-end control & error checking
(ensure complete data transfer): TCP 🡪
Establish/manage connection 🡪
ASCII Text, Sound (syntax layer) 🡪
File Transfer, Email, Remote Login 🡪
38
36. • Passive attacks: A Passive attack attempts
to learn or make use of information from the
system but does not affect system resources.
Passive Attacks are in the nature of
eavesdropping on or monitoring of
transmission. The goal of the opponent is to
obtain information is being transmitted.
• Types of Passive attacks are as following
1. The release of message content
2. Traffic analysis
55
37. • The release of message content –
Telephonic conversation, an electronic
mail message or a transferred file may
contain sensitive or confidential
information. We would like to prevent an
opponent from learning the contents of
these transmissions
56
38. • Traffic analysis –
Suppose that we had a way of masking
(encryption) of information, so that the attacker
even if captured the message could not extract
any information from the message.
The opponent could determine the location and
identity of communicating host and could observe
the frequency and length of messages being
exchanged. This information might be useful in
guessing the nature of the communication that
was taking place.
57
39. Types of Attacks
Active attacks: An Active attack attempts to alter
system resources or effect their operations. Active
attack involve some modification of the data stream
or creation of false statement. Types of active
attacks are as following:
1. Masquerade
2. Replay
3. Modification of messages
4. Denial of Service
5. Repudiation
58
40. • Masquerade –
Masquerade attack takes place when one
entity pretends to be different entity. A
Masquerade attack involves one of the
other form of active attacks.
59
41. • Replay –
It involves the passive capture of a
message and its subsequent the
transmission to produce an authorized
effect.
60
42. • Modification of messages –
It means that some portion of a message is altered
or that message is delayed or reordered to produce
an unauthorised effect. For example, a message
meaning “Allow JOHN to read confidential file X” is
modified as “Allow Smith to read confidential file X”.
61
43. • Denial of Service –
It prevents normal use of communication facilities. This
attack may have a specific target. For example, an entity
may suppress all messages directed to a particular
destination. Another form of service denial is the
disruption of an entire network by disabling the network
or by overloading it by messages so as to degrade
performance.
62
44. • Repudiation
This attack is done by either sender or receiver.
The sender or receiver can deny later that
he/she has send or receive a message.
For example, customer ask his Bank “To
transfer an amount to someone” and later on
the sender(customer) deny that he had made
such a request. This is repudiation.
63
45. Introduction
• The main responsibility of the network layer is to
transmit the packets from the source to the
destination by finding the best route, which is the
route that has the lowest cost and shortest path
from the source to the destination.
• The goal of the attacks on the Network Layer is to
disrupt the path between the source and
destination that is chosen from the routing
protocols.
Network Layer Attacks
46. 1. IP Address Spoofing
IP address spoofing is the act of falsifying the content in the Source IP header,
usually with randomized numbers, either to mask the sender’s identity or to
launch a reflected DDoS attack.
47. • IP Spoofing Attack
• Hijacking Attack
• The Smurf Attack
• Wormhole Attack
• Black hole Attack
• Sybil Attack
• Sinkhole Attack
66
Different Types of Network Layer Attacks
48. IP Spoofing Attack
• This technique is used from the attackers to gain
unauthorized access to the servers.
• The attacker will send messages to the server not with
his own IP address, but with a “trusted” IP address.
• In this way the server will not understand that it is
getting traffic from an attacker.
• After the attacker will find the “trusted IP” address,
will modify the headers of the packets in the way that
the attacked server will think the packets are coming
from “trusted” IP.
• The main route cause of DDoS (Distributed Denial of
Service) attacks is IP spoofing.
49. IP Spoofing Attack Cont..
• IP spoofing attack can further cause the below
attacks:
– Blind Spoofing
– Non-Blind Spoofing
– Man in the Middle
Attack
50. Blind Spoofing
• In this type of attack, a cracker outside the perimeter of the
local network.
• He transmits multiple packets to his intended target to
receive a series of sequence numbers, which are generally
used to assemble packets in the order
• The cracker is blind to how transmissions take place on this
network, so he needs to coax the machine into responding
to his own requests so he can analyze the sequence
numbers.
• By taking advantage of knowing the sequence number, the
cracker can falsify his identity by injecting data into the
stream of packets without having to have authenticated
himself when the connection was first established.
51. Non – Blind Spoofing
• In this type of attack, the cracker resides on the same
subnet as his intended target, so by sniffing the wire
for existing transmissions, he can understand an entire
sequence/acknowledge cycle between his target and
other hosts (hence the cracker isn't "blind" to the
sequence numbers).
• Once the sequence is known, the attacker can hijack
sessions that have already been built by disguising
himself as another machine, bypassing any sort of
authentication that was previously conducted on that
connection.
52. Man-in-the-Middle Attack
• Imagine two hosts participating in normal transmissions
between each other.
• In a man-in-the-middle attack, a malicious machine
intercepts the packets sent between these machines, alters
the packets and then sends them on to the intended
destination, with the originating and receiving machines
unaware their communications have been tampered with;
this is where the spoofing element enters the equation.
• Typically, this type of attack is used to get targets to reveal
secure information and continue such transmissions for a
period of time, all the while unaware that the machine in
the middle of the transmission is eavesdropping the whole
time.
54. 2. Hijacking Attack
• Another method used to attack the network layer is
hijacking. These attacks are easy to implement, but difficult
to detect.
• The basic idea of the attack is to disrupt a session between
client and server and take over the IP address of the trusted
client.
• The next step of the attacker is to discontinue the
communication between the server and the trusted client
and to create a new session with server by pretending to be
the trusted client.
• After the new connection is created, the attacker can take
the data he wants from server until this attack will be detect
from the victim client (trusted IP) or from the server.
55. Hijacking Attack Cont..
• These attacks happens when the server is unaware for a
certain amount of time of the existence of an attacker on
the network and the legitimate client that is disconnected
from the network (from the attacker), the attacker will make
sure to keep it unaware of the attack.
• The attackers usually use different tools to monitor the
victim’s network, such as WirelessMon, Ethereal,
Netstumbler.
• If the wireless network will not use advanced encryption
methods, and different authentication mechanism, the
possibilities to be attacked using hijacking will be high.
59. The Smurf Attack
• This attacking technique is a DoS (Denial of Service) attack
that happen on the network layer.
• These attacks are very easy to implement. The idea of this
attack is to overload a server with packets.
• The attacker will send a high number of packets from a
spoofed IP address to the server.
• The main goal of these attacks is to disable the service the
network is providing.
• Many techniques of attacking are used to achieve this goal.
• When the attacker wants to realize a Smurf attack, he will
transmit to the intended victim a large number of Internet
Control Message Protocol (ICMP) by using an IP broadcast
address.
60. The Smurf Attack Cont..
• To achieve this, the attackers use a program called
“smurf” that builds a network packet which appears at
the attacked server as it is coming from the trusted IP
address.
• When the attacked server will receive this ICMP
packets, by default the server will response to the
request.
• The “smurf” program will generate the necessary
amount of ICMP requests to overload the victim with
ICMP requests and responses until this device will not
be able to provide the necessary services on the
network.
61. 4. Wormhole Attacks
• These attacks are the most severe attacks and
complicated attacks in wireless network.
• Wormhole attacks are very hard to detect and to
protect from them. Even when all the communication
on the wireless network provides authenticity and
confidentiality, a wormhole attack can happen.
• The attackers will record the packets at one point of
the network and retransmits them to another point of
the network using private highspeed network, and
then replays them into the network from that point.
• These kind of attacks are a serious threat against
network routing protocols.
62. 5. Blackhole Attack
• This attack is a type of Denial of Service attack. The main idea of
this attack is to drop the incoming and outgoing information
between the receiver and the source.
• In blackhole attack, the attacker will capture all the packets and
discard them instead of forwarding them to the destination.
• The effectiveness of the network will be decreased during this
attack, while important packets will not reach the destination.
• Network parameters such as delay and throughput will be
changed during the blackhole attack.
• The delay will be increased because the packets will not be
delivered to the destination.
• The throughput will be become very less, while it will be used
from the blackhole attacker.
63. 6. Sybil Attack
• Sybil attack is a method of attacking by stealing or fabricating the
identities of other devices on the network.
• The attacker will use these identities to operate as multiple
identities to other network devices.
• Usually, this method of attack is used against routing algorithms.
• There are two types of Sybil attacks:
– external and internal.
• Using different security mechanisms, external attack can be
prevented.
• To stop an internal attack is used the method of mapping
between identity and entity by one to one.
• Unfortunately, this attack is able to overlap the mapping by
creating multiple identities
64. 7. Sinkhole Attack
• Malicious device on the network advertises itself to the
routing protocols as having the best path to the
destination.
• Some protocols will try to verify if this path is the shortest
path to communicate with the destination by using
acknowledgment packets.
• Using these packets, the protocol will understand if this
path has reliability, and if the latency is low.
• The sinkhole attack can transmit false report attacks or
reply route messages, making in this way the malicious
device look attractive path to forward their packets to the
destination
68. A firewall can be defined as a special type of
network security device or a software program
that monitors and filters incoming and
outgoing network traffic based on a defined
set of security rules.
It acts as a barrier between internal private
networks and external sources (such as the
public Internet).
87
What is a Firewall?
70. Introduction
• Firewalls control the flow of network traffic
• Firewalls have applicability in networks
where there is no internet connectivity
• Firewalls operate on number of layers
• Can also act as VPN gateways
• Active content filtering technologies
72. Firewall Environments
• There are different types of environments
where a firewall can be implemented.
• Simple environment can be a packet filter
firewall
• Complex environments can be several
firewalls and proxies
73. What is Data Packets ?
Requested data is not downloaded in single transmission
78. Packet Filter
• Work at the network level of the OSI model
• Each packet is compared to a set of criteria
before it is forwarded
• Packet filtering firewalls is low cost and low
impact on network performance
83. Packet Firewall
• Verifies only the Sender’s , Receiver's IP
Address and Port Number.
• Payload not verified
• It is Cheap
• Low Security
Packet Firewall suits for Low Risk Environment (Florist Shop)
84. 2.Stateful Inspection Firewalls(Dynamic Packet Filters)
105
• It is also known as ‘Dynamic Packet Filters’.
• It keeps track of the state of active connections
and uses this information to decide which
packets to allow through it.
i.e., it adapts itself to the current exchange of
information, unlike the normal packet
filters/stateless packet filters, which have
hardcoded routing rules
86. Application-Level Gateway / Proxy Firewall
• Verifies only the Sender’s , Receiver's IP
Address and Port Number.
• Verifies Payload too
• It is slower than Packet firewall
• Proxy firewall suits for Medium Risk
Environment (Universities)
87. Application Proxy Firewall
• Packet filters look only at the headers of the packets, not at the data
inside the packets.
• An application layer firewall (proxy; also called as bastion)
simulates the proper effects of an application so that the application
receives only requests to act properly.
• A proxy gateway is a two-headed device: It looks to the inside as if it is the
outside (destination) connection; while to the outside, it responds as it is
from the inside.
Proxy
Server
Application
Protocol
Analysis
Proxy
Client
Internal
Network
Real
Server
Dual-homed
Proxy Firewall
Real
Client
Request
Forwarded
Reply
Forwarded
Request
Internet
Reply
Note: The proxy services
running on such firewalls
are preferred to be independent
of each other to avoid any
vulnerability.
108
88. Application
Proxy
Firewall
Source (adapted from): Figure 22.1(d) from William Stallings – Cryptography and Network
Security, 5th
Edition
Application
Transport
Network
Link Layer
Physical Layer
Application
Transport
Network
Link Layer
Physical Layer
Application Proxy
Inside
Connection
Outside
Connection
Telnet
FTP
SMTP
HTTP
Application-level
Gateway
Inside
Connection
Outside
Connection
Inside Host Outside Host
110
90. • They tend to be more secure than packet
filters.
• The application level gateway need only
scrutinize a few allowable applications.
• It is easy to log & audit all incoming traffic
at the application level.
113
Advantages of Application Gateways
91. • Additional processing overhead on each
connection.
• There are two spliced connections between the
end users , with the gateway at the splice point.
The gateway must examine and forward all
traffic in both directions.
114
Disadvantages of Application Gateways
97. What is ACL?
• Basically ACL is the integrated feature of IOS software
that is used to filter the network traffic passing through
the IOS devices. Network traffic flows in the form of
packets.
• A packet contains small piece of data and all necessary
information which are required to deliver it.
• By default when a router receives a packet in interface,
it takes following actions:-
• Grab destination address from the packet
• Find an entry for destination address in routing table
• If match found, forwards the packet from associate interface
• If no match found, discard the packet immediately.
98. Simple Network
In this network, no
security policy is applied
on router. So router will
not be able to distinguish
between user’s packet and
adversary’s packet. From
router’s point of view, both
packets have correct
destination address so
they should be forwarded
from exit interface.
99. • Suppose we tell the router that only 10.0.0.10
has the right to access the 30.0.0.1. To match
with this condition router will take following
actions:-
• Grab source and destination address from the packet
• Match both addresses with given condition
• If packet is not arrived from 10.0.0.10, drop the packet
immediately.
• If packet is not intended from 30.0.0.1, drop the packet
immediately.
• If both condition match find an entry for destination address in
routing table
• If match found, forwards the packet from associate interface
• If no match found, discard the packet immediately.
100. Now only the packets from 10.0.0.10 are allowed to pass from router. With this
condition adversary will not be able to access the server. We can create as much
conditions as we want. Technically these conditions are known as ACLs. Besides
filtering unwanted traffic, ACLs are used for several other purposes such as
prioritizing traffic for QoS (Quality of Services), triggering alert, restricting remote
access, debugging, VPN and much more.
101. Direction and Location of ACL
• A packet interacts with three locations during its journey from
router:-
1. Packet arrives in interface (Entrance)
2. Router makes forward decision
3. Packet outs from interface (Exit)
• We cannot filter the packet in the middle of router where it makes
forward decision. Decision making process has its own logic and
should not be interfered for filtering purpose. After excluding this
location, we have two locations; entrance and exit. We can apply
our ACLs conditions on these locations.
• ACL conditions applied on entrance work as inbound filter. ACL
conditions applied on exit work as outbound filter.
• Inbound ACLs filter the traffic before router makes forward
decision. Outbound ACLs filter the traffic after the router makes
forward decision.
102. Key points
•We must have to apply ACLs on interface which process the packet.
•ACLs must be applied in data flow direction. Inbound ACLs must be
placed in entrance interface. Outbound ACLs must be placed in exit
interface.
•Once applied, ACL will filter every packet passing through the interface.
105. Click to view examples
How ACLs Work
Inbound (as the traffic comes into an interface) Outbound (before the traffic exits an interface)
131
106. Rules for ACL
• The standard Access-list is generally applied close to
the destination (but not always).
• The extended Access-list is generally applied close to
the source (but not always).
• We can assign only one ACL per interface per
protocol per direction, i.e., only one inbound and
outbound ACL is permitted per interface.
• We can’t remove a rule from an Access-list if we are
using numbered Access-list. If we try to remove a rule
then whole ACL will be removed. If we are using
named access lists then we can delete a specific rule.
107. Rules for ACL Cont..
• Every new rule which is added into the access list will
be placed at the bottom of the access list therefore
before implementing the access lists, analyses the
whole scenario carefully.
• As there is an implicit deny at the end of every
access list, we should have at least a permit
statement in our Access-list otherwise all traffic will be
denied.
• Standard access lists and extended access lists
cannot have the same name.
108. Advantage of ACL
• Improve network performance.
• Provides security as administrator can
configure the access list according to
the needs and deny the unwanted
packets from entering the network.
• Provides control over the traffic as it can
permit or deny according to the need of
network.
109. Disadvantage of ACL
• Access control systems can be hacked.
• The maximum of number of ACLs is 100.
• The maximum number of rules per ACL is 8–10.
110. DMZ (De-Militarized Zone)
• It is used to improve the security of the
organization network.
• By segregating devices, such as computers
and servers, on the opposite sides of a
firewall.
111. Demilitarized Zone (DMZ) Networks
• A DMZ network (also called perimeter network) is a subnet that
contains an organization’s services that are exposed to a larger
untrusted network (like the Internet).
• In other words, the DMZ comprises of hosts that provide services
to users outside the internal LANs, such as e-mail, web, DNS
servers.
• Because of the higher chances of these hosts being compromised,
they are placed into their own sub-network in order to protect the
rest of the network if an intruder were to succeed in attacking them.
• Thus, a DMZ network adds an additional layer of security to an
organization’s LAN – an external attacker only has access to the
hosts in the DMZ and not to any other internal networks.
• Hosts in the DMZ provide services to both the internal and external
networks – an external (“front-end”) firewall monitors the traffic
between the DMZ network and the external Internet; while, an
internal (“back-end”) firewall monitors the traffic between the DMZ
hosts and the internal network clients.
139
119. Note: Servers that need less
protection, because they may have
less critical information, could be
placed in the external DMZ network
- that is even outside the external
firewall.
Distributed
Firewalls
147
122. Intrusion
• Intrusion occurs when attacker attempts to gain entry or disrupt normal
operations of information systems, almost always with intent to do harm
• Intrusion detection consists of procedures and systems that identify system
intrusions
• Intrusion reaction encompasses actions an organization takes when intrusion is
detected
• Intrusion prevention consists of activities that deter intrusion
• Intrusion correction activities finalize restoration of operations to a normal state
and seek to identify source and method of intrusion to ensure same type of
attack cannot occur again
123. IDS
• An Intrusion Detection System (IDS) is a system
that monitors network traffic for suspicious activity
and issues alerts when such activity is discovered.
• It is a software application that scans a network or a
system for harmful activity or policy breaching.
124. IDS SETUP
• Although intrusion detection systems monitor networks for
potentially malicious activity, they are also disposed to false
alarms.
• Hence, organizations need to fine-tune their IDS products
when they first install them.
• It means properly setting up the intrusion detection systems to
recognize what normal traffic on the network looks like as
compared to malicious activity.
125. Firewall Vs IDS
• DS and firewall both are related to the network security but an
IDS differs from a firewall as a firewall looks outwardly for
intrusions in order to stop them from happening.
• Firewalls restrict access between networks to prevent
intrusion and if an attack is from inside the network it don’t
signal.
• An IDS describes a suspected intrusion once it has happened
and then signals an alarm.
126. Advantages of IDS
• The network or computer is constantly monitored for any invasion or
attack.
• The system can be modified and changed according to the needs of
specific clients and can help outside as well as inner threats to the
system and network.
• It effectively prevents any damage to the network.
• It provides a user-friendly interface which allows easy security
management systems.
• Any alterations to files and directories on the system can be easily
detected and reported.
127. Disadvantages of IDS
• An only disadvantage of the Intrusion Detection
System is they cannot detect the source of the attack
and in any case of attack, they just lock the whole
network.
• Do Not Process Encrypted Packets
128. IDS vs IPS
• Intrusion detection systems (IDS) Sniffs and reports possible violations. work
like a burglar alarm: detect violation, activate alarm. Difference between
Firewall/IDS: Can name attack
• Intrusion prevention system (IPS) can detect intrusion and launch an active
response. Reports violations and prevents attacks from occurring. Does inline
processing, similar to a Firewall: drop packets, reset connections, route
suspicious traffic for analysis. Problems: Delays in processing; bottleneck
• IDS and IPS systems often coexist
• Since IDS/IPS have high rate of False Positives, they require extensive
optimization
• Intrusion detection/prevention system (IDPS) describes current
anti-intrusion technologies
130. Comparing IDS and IPS
Advantages Disadvantages
▪ No impact on network (latency, jitter)
▪ No network impact if there is a sensor failure
▪ No network impact if there is sensor overload
▪ Response action cannot stop trigger
packets
▪ Correct tuning required for response
actions
▪ Must have a well thought-out security
policy
▪ More vulnerable to network evasion
techniques
ID
S
Advantages Disadvantages
▪ Stops trigger packets
▪ Can use stream normalization techniques
▪ Sensor issues might affect network traffic
▪ Sensor overloading impacts the network
▪ Must have a well thought-out security
policy
▪ Some impact on network (latency, jitter)
IP
S
158
131. Criteria Type Description
Approaches to
Identifying Malicious
Traffic
Signature-based A vendor provides a customizable signature database.
Anomaly-based “Normal” and “abnormal” traffic is defined.
Policy-based Policy definition and description is created
Honeypot-based Sacrificial host is set up to lure the attacker.
Deployment Options
Network-based Network sensors scan traffic that is destined to many hosts.
Host-based Host agent monitors all operations within an operating system.
IDPS Types and Options
159
132. Classification of IDS
• Network Intrusion Detection System (NIDS)
• Host Intrusion Detection System (HIDS)
• Protocol-based Intrusion Detection System (PIDS)
• Application Protocol-based Intrusion Detection
System (APIDS)
• Hybrid Intrusion Detection System
133. (1) Network Intrusion Detection System (NIDS)
• Network intrusion detection systems (NIDS) are set up at a planned point within
the network to examine traffic from all devices on the network.
• It performs an observation of passing traffic on the entire subnet and matches
the traffic that is passed on the subnets to the collection of known attacks.
• Once an attack is identified or abnormal behavior is observed, the alert can be
sent to the administrator.
• An example of an NIDS is installing it on the subnet where firewalls are
located in order to see if someone is trying crack the firewall.
134. Network-based IDS (NIDS)
• NIDS are placed next to the firewall on the
network perimeter and analyze the traffic as it
passe by for the protocols, source, destination,
content, traffic already seen and etc.
• A NIDS typically looks for traffic that typify
hostile actions or misuse, such as the
following:
• – Denial-of-service attacks, Port scans or sweeps, Malicious content
in the data payload of a packet or packets, Vulnerability scanning,
Trojans, Viruses, Worms, Tunneling and Brute-force attacks.
• The traffic collector of a NIDS logically
attaches itself to a Network Interface Card
(NIC) that operates in promiscuous mode
(stealth mode) and sniffs the passing
traffic.
Source: Figure 13.4 from Conklin and White –
Principles of Computer Security, 2nd
Edition
162
136. NIDS: Advantages and Disadvantages
Advantages of a NIDS
• Less Overhead: With a few well-placed NIDSs, one can monitor the entire network traffic going
in and out of the organization. Also, upgrading and maintaining a fewer number of NIDSs is
usually much cheaper than upgrading and maintaining hundreds of host-based IDSs.
• Big Picture: The collection of the few NIDSs can have visibility into all the network traffic and
can correlate attacks (whether they are widespread or concentrated, unorganized or focused)
among multiple systems.
Disadvantages of a NIDS
• A NIDS is ineffective when traffic is encrypted.
• A NIDS cannot see traffic that does not cross it – If a NIDS is placed only in the perimeter,
chances are that it could miss traffic traversing the internal network.
• A NIDS must be able to handle high volumes of traffic (even 1-Gbps is common nowadays)
with the availability of networks with larger bandwidth.
• A NIDS does not know about activities on the hosts themselves. 164
137. Active vs. Passive NIDS
Passive NIDS:
• A passive NIDS simply watches the traffic, analyzes it and generates alarms.
• It does not interact with the traffic itself in any way, and it does not modify the defensive
posture of the system to react to the traffic.
Active NIDS:
• An active NIDS contains all the same components and capabilities of the passive NIDS with
one critical addition – the active NIDS can react to the traffic it is analyzing.
• The reactions of an active NIDS could range from something simple, such as sending a TCP
reset message to interrupt a potential attack and disconnect a session, to something complex,
such as dynamically modifying firewall rules to reject all traffic from specific source IP
addresses for the next few hours or days.
• Active NIDS are also referred to as Intrusion Prevention Systems (IPSs). When configured with
the private keys of the servers in the internal network, IPSs would be able to decrypt the SSH
connection establishment messages between a client and server and extract the session keys
that would be used during the complete session. This gives an added advantage for the
IDS/IPS to handle encrypted traffic. 165
138. (2) Host Intrusion Detection System (HIDS)
• Host intrusion detection systems (HIDS) run on independent hosts or
devices on the network.
• A HIDS monitors the incoming and outgoing packets from the device
only and will alert the administrator if suspicious or malicious activity is
detected.
• It takes a snapshot of existing system files and compares it with the
previous snapshot.
• If the analytical system files were edited or deleted, an alert is sent to
the administrator to investigate.
• An example of HIDS usage can be seen on mission critical
machines, which are not expected to change their layout.
139. Host-based IDS (HIDS)
HIDSs can operate in real-time, looking for
activity as it occurs, or in batch mode, looking
for activity on a periodic basis.
• HIDS will use up some of the local system
resources (like memory and CPU cycles) to
operate.
• The Analysis Engine of a HIDS could also use a
decision tree to expedite pattern matching.
Logical
Layout of a
HIDS
Source: Figure 13.16 from Conklin and
White – Principles of Computer Security, 2nd
Edition
Root
Process
Log
Entry
File
Change
User
Action
167
140. Advantages of HIDS
• A HIDS can be very operating system-specific and have more detailed
signatures.
• A HIDS can reduce false-positive rates.
– Administrators can avoid generic alarms and develop more specific, detailed signatures
to identify malicious traffic much more accurately.
• A HIDS can examine data after it has been decrypted.
– Encrypted traffic that is unreadable to a NIDS could be examined using a HIDS, when
designed and implemented in the right manner.
• A HIDS can be very application specific.
– At the host level, a HIDS can be designed, modified or tuned to work very well on specific
applications without having to analyze or even hold signatures for other applications that are
not running on that particular system.
• A HIDS can determine whether or not an alarm may impact that specific system.
– Since a HIDS resides on the system, it can verify things such as patch levels, presence of
certain critical files and system state while analyzing traffic. By knowing all these details, a
HIDS can more accurately determine whether an activity or pattern would be potentially
harmful to the system.
This can significantly reduce the number of generated alarms.
168
141. Disadvantages of HIDS
• The HIDS must be installed on every system to be protected.
• The HIDS can have a high cost of ownership and maintenance. Even with a central
console, with a HIDS, there will be a high number of processes to maintain, software
to update, and parameters to tune.
• The HIDS uses local system resources.
– The resources (for e.g., CPU cycles and memory) used by a HIDS are no longer available for
the host system to perform its other functions.
• The HIDS has a very focused view and cannot relate to activity around it – can tell only
if the system it is running on is under attack.
• The HIDS, if logged locally, could be compromised or disabled.
– If the HIDS stores its generated alarm traffic on the local system, an attacker who is successful in
breaking into the system may be able to modify or delete those alarms. Even though the
presence of an empty log file could indicate that the system was attacked, it would not be
possible to conduct any sort of post-incident investigation.
– Solution: It would be a better security practice to store or make a copy of the log information (at
least security-related) on a separate system.
169
142. 3. Protocol-based Intrusion Detection System
(PIDS)
• Protocol-based intrusion detection system (PIDS)
comprises of a system or agent that would consistently
resides at the front end of a server, controlling and
interpreting the protocol between a user/device and the
server.
• It is trying to secure the web server by regularly monitoring
the HTTPS protocol stream and accept the related HTTP
protocol.
• As HTTPS is un-encrypted and before instantly entering
its web presentation layer then this system would need to
reside in this interface, between to use the HTTPS.
143. 4. Application Protocol-based Intrusion Detection
System (APIDS)
• Application Protocol-based Intrusion Detection
System (APIDS) is a system or agent that generally
resides within a group of servers.
• It identifies the intrusions by monitoring and
interpreting the communication on application specific
protocols.
• For example, this would monitor the SQL protocol
explicit to the middleware as it transacts with the
database in the web server.
144. 5. Hybrid Intrusion Detection System
• Hybrid intrusion detection system is made by the combination of two or
more approaches of the intrusion detection system.
• In the hybrid intrusion detection system, host agent or system data is
combined with network information to develop a complete view of the
network system.
• Hybrid intrusion detection system is more effective in comparison to the
other intrusion detection system. Prelude is an example of Hybrid IDS.
147. 1. Signature-based Method
• Signature-based IDS detects the attacks on the basis
of the specific patterns such as number of bytes or
number of 1’s or number of 0’s in the network traffic.
• It also detects on the basis of the already known
malicious instruction sequence that is used by the
malware.
• The detected patterns in the IDS are known as
signatures.
• Signature-based IDS can easily detect the attacks
whose pattern (signature) already exists in system but
it is quite difficult to detect the new malware attacks as
their pattern (signature) is not known.
148. 2. Anomaly-based Method
• Anomaly-based IDS was introduced to detect the unknown
malware attacks as new malware are developed rapidly.
• In anomaly-based IDS there is use of machine learning to
create a trustful activity model and anything coming is
compared with that model and it is declared suspicious if it is
not found in model.
149. 3.Policy Based Method
• Policy-Based - This approach requires administrators to configure
security policies according to organizational security policies and the
network infrastructure.
• When an activity occurs that violates a security policy, an alert is
triggered and sent to the system administrators
• Policy-based techniques establish boundaries between the allowed and
not allowed events by imposing a set of rules.
• It solves two major problems:
(1) detection of unknown attacks,
(2) classification of normal unseen behaviour into
attack class.
This approach is flexible.
150. 4. Honeypot Based Method
• A honeypot is a trap to detect, deflect or in some manner counteract attempts at
unauthorized use of information systems. –
• A honeypot is usually a computer, and sometimes data or an unused IP address space
that appears to be part of a network but which is actually isolated, unprotected and
monitored, and which seems to contain information or a resource that would be of value
to attackers.
• Honeypots have no production value and hence should not see any legitimate traffic
or activity. Whatever they capture can be surmised as malicious or unauthorized.
• A honeynet is a network of honeypots. A honeynet is used for monitoring a larger
and/or more diverse network in which one honeypot may not be sufficient.
• A honeypot/ honeynet is more of a preventative approach of detecting potential
attackers existing in the Internet who may target the organization network in the near
future.
151. Approaches to Identifying
Malicious Traffic Advantages Disadvantages
Signature-base
d
Detection
• Easy configuration
• Fewer false positives
• Good signature design
• No detection of unknown signatures
• Initially a lot of false positives
• Signatures must be created, updated,
and tuned
Anomaly-based
Detection
• Simple and reliable
• Customized policies
• Can detect unknown attacks
• Generic output
• Policy must be created
Policy-based
Detection
• Easy configuration
• Can detect unknown attacks
• Difficult to profile typical activity in large
networks
• Traffic profile must be constant
Honey
Pot-Based
Detection
• Window to view attacks
• Distract and confuse attackers
• Slow down and avert attacks
• Collect information about attack
• Dedicated honey pot server
• Honey pot server must not be trusted
179
154. • computer viruses have got a lot of publicity
• one of a family of malicious software
• effects usually obvious
• have figured in news reports, fiction, movies
(often exaggerated)
• getting more attention than deserve
• are a concern though
183
Viruses and Other Malicious Content
157. • • secret entry point into a program
• • allows those who know access bypassing usual
security procedures
• • have been commonly used by developers
• • a threat when left in production programs
• allowing exploited by attackers
• • very hard to block in O/S
• • requires good s/w development & update
186
Back Door or Trap Doors
158. 187
Logic Bomb
• • one of oldest types of malicious software
• • code embedded in legitimate program
• • activated when specified conditions met
– eg presence/absence of some file
– particular date/time
– particular user
• • when triggered typically damage system
– modify/delete files/disks, halt machine, etc
159. • program with hidden side-effects
• which is usually superficially attractive
– eg game, s/w upgrade etc
• when run performs some additional tasks
– allows attacker to indirectly gain access they
do not have directly
• often used to propagate a virus/worm or
install a backdoor or simply to destroy data
188
Trojan Horse
160. • A program that secretly takes over another
internet attached computer and then uses that
computer to launch attacks that are difficult to
trace to the zombie’s creator.
189
Zombie
161. piece of software that infects programs
modifying them to include a copy of the virus
so it executes secretly when host program is
run
specific to operating system and hardware
taking advantage of their details and
weaknesses
190
Virus
The Nature of Viruses
165. 194
Network Worms
Network worm uses some sort of network
vehicle. Examples include:
• Electronic mail facility
• Remote execution capability
• Remote login capability
166. • Morris Worm. The Morris Worm was a
self-replicating computer program (worm) written
by Robert Tappan Morris, a student at Cornell
University, and released from MIT on November 2,
1988. ... The worm spread by exploiting
vulnerabilities in UNIX send mail, finger, and
rsh/rexec as well as by guessing weak passwords.
• Developer: Robert Tappan Morris
• Start date: November 2, 1988
195
The Morris Worm
168. THREE METHODS TO DETECT MALWARE-
Signature Detection
Change Detection
State Detection
169. Signature Detection
• It detects the patterns or signatures in a particular
program that may be malware.
• When malware is suspected, it is verified against the
database of known bad code fragments.
• ADVANTAGE
Users and administrators can perform a simple
precautionary measure keeping signature files up to
date and periodically scanning for viruses.
• DISADVANTAGE
The signature files may be quite large, which makes
scanning slow
170. Change Detection
• Finding files that have been changed is
called change detection.
• A file that changes unexpectedly may be due to
a virus infection.
• Advantages:
If a file has been infected, a change can be
detected. An unknown malware, one not
previously identified (zero-day), can be detected
through change detection.
171. State Detection
• State detection aims to detect unusual/
anomalous behavior.
• It relies on an expert system that determines if a
state change is anomalous.
• These state changes includes malicious behavior;
by extension, anomaly detection is the ability to
identify potentially malicious activity.
• To determine what is normal and what is unusual
and to be able to distinguish between the two.